Working on Ending PasswordsBy
Whenever you create a new password, you accept all the problems and vulnerabilities that come packaged in the key.
Forgetting, phishing, repeated use, easily guessed combinations, hackers’ brute-force-attack algorithms, and keystroke readers—they’re all part of the bargain. There must be a better way.
The father of computer passwords was Fernando Corbató, a pioneer in time-sharing operating systems. He came up with the idea in 1961. Today, these keys are as common as house keys and are embedded deep in the legacy architectures of our computers and networks.
Biometrics, most commonly facial and fingerprint recognition, are one way to eliminate many of the vulnerabilities of passwords. Another is two-factor verification, which messages a onetime number/letter string to activate your entered password. There are also a variety of hardware solutions such as USB and Bluetooth security tokens, tamperproof chips called embedded secure elements (eSE), near-field communication (NFC) devices, and trusted platform modules (TPMs) that are embedded modules for encrypting and decrypting information like authentication credentials. But as these solutions proliferate, it becomes more difficult to coordinate so many standards into a universal solution.
A quick look at two major providers illustrates this problem of diverging paths. In June 2021, Microsoft announced Windows 11 would have “new hardware security requirements built-in that will give [its] customers the confidence they are even more protected from the chip to cloud on certified devices…with built-in hardware-based isolation, proven encryption, and [its] strongest protection against malware.” And it promised this “chip-to-cloud Zero Trust out of the box” (that will come with a TPM 2.0 chip on all certified Windows 11 systems) will work with Windows Hello and BitLocker.
Also in June 2021, Apple described its new passwordless login technology to work on iPhones, iPads, and Macs. You create a passkey by choosing a username for your device and then use FaceID or TouchID to authenticate that the sign-in is really from you. You don’t have to pick a password because “Your device handles generation and storage of the passkey, which iCloud Keychain synchronizes across all your Apple devices.” And you don’t need an app; the system is embedded in your device. When you sign in on any site for which you have saved the password in Keychain, authentication becomes a one-tap process. The passkey is based on an adaptation of the Web Authentication (WebAuthn) technology, a web standard published by the World Wide Web Consortium (W3C). The WebAuthn is a universal standard, but the Apple solution was designed to work only on Apple devices.
THE FIDO ALLIANCE
Formed in July 2012, the FIDO Alliance is an industry consortium whose primary goal is to develop and promote authentication standards that “help reduce the world’s over-reliance on passwords.” The name is an acronym for “fast identity online.”
To succeed, the venture will require cooperation and consensus. The cooperation will be among its many member companies, including Google, Amazon, American Express, Intel, Meta, Microsoft, PayPal, Samsung, Wells Fargo, Yahoo, eBay, Discover, Fidelity, Red Hat, Netflix, Sony, and scores more of the largest companies and even governmental agencies. The consensus part involves integrating FIDO’s core standard into a company’s authentication processes. That standard, now called FIDO2, has two requirements: the WebAuthn open standard from the W3C that supports verification across web applications with public-key cryptography and a standard developed by the FIDO Alliance called client to authenticator protocol 2 (CTAP2). FIDO2 supports many authentication technologies, including biometrics, TPMs, eSEs, and NFC devices. The goal is open resources that can support authentication and interoperability between systems, and the FIDO effort has stretched over a decade now.
A major stumbling block involving usability now has a solution according to a March 2022 white paper titled How FIDO Addresses a Full Range of Use Cases. FIDO members collaborated on a solution to solve the difficulty of adding new devices to your environment by having the operating systems add a FIDO credential manager that would function like an onboard password manager.
When Wired magazine asked Christiaan Brand, product manager for identity and security at Google, his reaction to this latest news on FIDO’s progress toward a passwordless future, he said, “I feel like everything is coalescing. This should be durable.” Perhaps, now, finally we’ll be able to add “doable.”